•

[win@18372.4 EVENT_CATEGORY="Logon" EVENT_FACILITY="16" EVENT_ID="4624" EVENT_LEVEL="0" EVENT_NAME="Security" EVENT_REC_NUM="278198" EVENT_SID="N/A" EVENT_SOURCE="Microsoft Windows security auditing." EVENT_TASK="Logon" EVENT_TYPE="Success Audit" EVENT_USERNAME="DEMO\\user"][meta sequenceId="4027" sysUpTime="670"]

•

id=firewall time="2017-03-02 12:01:01" fw=192.168.0.238 pri=6 rule=3 proto=http src=192.168.0.23 dst=192.168.1.12

•

CEF:0|ArcSight|ArcSight|6.0.3.6664.0|agent:030|Agent [test] type [testalertng] started|Low|eventId=1 mrt=1396328238973 categorySignificance=/Normal categoryBehavior=/Execute/Start categoryDeviceGroup=/Application catdt=Security Mangement categoryOutcome=/Success categoryObject=/Host/Application/Service art=1396328241038 cat=/Agent/Started eviceSeverity=Warning rt=1396328238937 fileType=Agent cs2=<Resource D\="3DxKlG0UBABCAA0cXXAZIwA\=\="/> c6a4=fe80:0:0:0:495d:cc3c:db1a:de71 cs2Label=Configuration Resource c6a4Label=Agent IPv6 Address ahost=SKEELES10 agt=888.99.100.1 agentZoneURI=/All Zones/ArcSight System/Private Address Space Zones/RFC1918: 888.99.0.0-888.200.255.255 av=6.0.3.6664.0 atz=Australia/Sydney aid=3DxKlG0UBABCAA0cXXAZIwA\=\= at=testalertng dvchost=SKEELES10 dvc=888.99.100.1 deviceZoneURI=/All Zones/ArcSight System/Private Address Space Zones/RFC1918: 888.99.0.0-888.200.255.255 dtz=Australia/Sydney _cefVer=0.1

•

{"PROGRAM":"prg00000","PRIORITY":"info","PID":"1234","MESSAGE":"seq: 0000000000, thread: 0000, runid: 1374490607, stamp: 2013-07-22T12:56:47 MESSAGE... ","HOST":"localhost","FACILITY":"auth","DATE":"Jul 22 12:56:47"}

•

<123>Mar 2 10:10:10 server sshd[123]: Accepted

password for peter from 192.168.56.1 port 36858 ssh2

•

<123>1 2017-03-02T10:10:10.01+01:00

server.mycompany.lan sshd 123 ID321 [file@18372.4

.classifier.class=unknown]Accepted password for peter

from 192.168.56.1 port 36858 ssh2

127.0.0.1 - frank [02/Mar/2017:13:55:36 -0700] "GET /apache_pb.gif HTTP/1.0" 200 2326

"http://www.example.com/start.html" "Mozilla/4.08 [en] (Win98; I ;Nav)"

csv-parser(columns(".apache.clientip", ".apache.identname", ".apache.user", ".apache.ts",

".apache.url", ".apache.status", ".apache.contentlength", ".apache.referer", ".apache.useragent")

flags(escape-double-char,strip-whitespace) delimiters(" ") quote-pairs('""[]'));

[.apache.clientip=127.0.0.1 .apache.identname=- .apache.user=frank

.apache.ts=[02/Mar/2017:13:55:36 -0700] .apache.url="GET /apache_pb.gif HTTP/1.0"

.apache.status=200 .apache.contentlength=2326 .apache.referer=

"http://www.example.com/start.html" .apache.useragent=" Mozilla/4.08 [en] (Win98; I ;Nav)"]

${apache.user}

<123>Mar 2 10:10:10 myhost myapp[123]: a=12 b=15 c=22 d=fixme

parser p_kv { kv-parser(value_separator("=") prefix(".kv.")

template("${MESSAGE}"));};

[.kv.a=12 .kv.b=15 .kv.c=22 .kv.d=fixme]

${.kv.b}

{"PROGRAM":"prg00000","PRIORITY":"info","PID":"1234","MESSAGE":"seq:

0000000000, thread: 0000, runid: 1374490607, stamp: 2013-07-22T12:56:47

MESSAGE... ","HOST":"localhost","FACILITY":"auth","DATE":"Jul 22 12:56:47"}

Parser p_json {json-parser(prefix(".json."));};

[.json.PROGRAM=prg00000 .json.PRIORITY=info .json.PID=1234 ...

${.json.PROGRAM}

Accepted password for peter from 1.2.3.4 port 567 ssh2

Accepted @STRING:.ssh.auth:@ for @STRING:.ssh.uid:@ from @IPv4:.ssh.ip:@ port @NUMBER:.ssh.port:@

ssh2

[.classifier.class=system .ssh.auth=password .ssh.uid=peter .ssh.ip=1.2.3.4 .ssh.port=567]

${.ssh.uid}

parser p_ssh_geoip { geoip("${.ssh.ip}", prefix(".geoip.")

database("/var/lib/geoip-database-contrib/GeoLiteCity.dat"));

};

[.classifier.class=system .ssh.auth=password .ssh.uid=peter

.ssh.ip=207.46.13.167 .ssh.port=567 .geoip=47.680099,-

122.120598]

parser p_add_context_data { add-contextual-data(selector("${.ssh.uid}"),

database("context-info-db.csv"), prefix(".metadata") default-selector("no-uid"));};

peter;serveradmin

no-uid;no-group

[.classifier.class=system .ssh.auth=password .ssh.uid=peter .ssh.ip=207.46.13.167

.ssh.port=567 .geoip=47.680099,-122.120598 .metadata=serveradmin]

Accepted password for peter from 1.2.3.4 port 567 ssh2

Accepted password for root from 4.3.2.1 port 765 ssh2

rewrite r_violation {

set("violation" value(".classifier.class") condition(match("root" value(".classifier.uid"))));

};

[.classifier.class=system .ssh.auth=password .ssh.uid=peter .ssh.ip=1.2.3.4 .ssh.port=567

.geoip=47.680099,-122.120598 .metadata=serveradmin]

[.classifier.class=violation .ssh.auth=password .ssh.uid=root .ssh.ip=4.3.2.1 .ssh.port=765

.geoip=47.680099,-122.120598 .metadata=goduser]

rewrite r_anon { set("HIDDEN") template("${.ssh.uid}");

set("HIDDEN") template("${.ssh.ip}"); };

[.classifier.class=system .ssh.auth=password .ssh.uid=HIDDEN

.ssh.ip=HIDDEN .ssh.port=567 .geoip=47.680099,-122.120598

.metadata=serveradmin]

rewrite r_uid { subst(".*", "$(sha1 $0)", value(".ssh.uid"));

subst(".*", "$(sha1 $0)", value(".ssh.ip"));};

[.classifier.class=system .ssh.auth=password

.ssh.uid=5d2c6a9b917d0dce3cbd4dc4c0626c56f6cf9298

.ssh.ip=bd4dc4c0626c56f6cf9295d2c6a9b917d0dce3c8 .ssh.port=567

.geoip=47.680099,-122.120598 .metadata=serveradmin]

Accepted password for peter from 1.2.3.4 port 567 ssh2

rewrite pseudonymize_ip_addresses_in_message {

subst("((([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-

4][0-9]|25[0-5]))", "$(sha1 $0)", value("MSG"), flags(global)

);};

Accepted password for peter from 5d2c6a9b917d0dce3cbd4dc4c0626c56f6cf9298 port

567 ssh2

<123>Mar 2 10:10:10 www myapp[123]: Payment done by

378282246310005 (AMEX).

rewrite { credit-card-mask(value("MSG")); };

<123>Mar 2 10:10:10 www myapp[123]: Payment done by

378282******005 (AMEX).

<123>Mar 2 10:10:10 www myapp[123]: Payment done by

378282246310005 (AMEX).

rewrite { credit-card-hash(value("MSG")); };

<123>Mar 2 10:10:10 www myapp[123]: Payment done by

5d2c6a9b917d0dce3cbd4dc4c0626c56f6cf9298 (AMEX).